Sadly you can still buy new phones from major carriers with 4.1 and lower. The pre-paid market is even worse. Most of those phones will never see an upgrade. You might be better off to VPN through a machine/service that's doing exploit detection on the fly.

This, this, a million times this. Please tell me that there's some state or federal law out there that allows a class action lawsuit against a company selling KNOWN VULNERABLE hardware, and explicitly stating that their handsets cannot and will never be be updated to fix them? This behavior by a telecom company is totally malicious and needs to be stopped now.

If you think this is hyperbole, check out StraightTalk's line of phones (paying close attention to the Android version numbers). Then check out their terms of service, specifically section 14.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

I don't mean to be cynical I'll admit that I've become quite cynical, but I think I'd need to see some security audits by respected professionals before I "trust" a smartphone, especially one that costs €400/$550. Additionally, some strong legal precedents protecting owners from decrypting devices would be pretty much essential, at this point.

Hip product promotion videos are fine and all, but I'm afraid I need something a little more substantial.

Google was too busy making sure apps cannot write on secondary SD Cards in KitKat and restricting more and more stuff with each new version, to be interested with that particular exploit.All of this because less is more with the pretext of security of course.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

You'd be surprised. It wasn't long (days from memory) before someone created an Xposed module to patch the 'master key' issues. Maybe I'll give it a shot - I've been meaning to try my hand at an Xposed module

Honest question, since I'm not very familiar with the Android ecosystem to say the least. Something like this Xposed module -- what sort of percentage of Android phones would end up installing it? And how does it become available to the user?

Thanks.

A number so close to 0% it might as well be 0.

Not that custom roms are difficult to install, it's just not something most are even aware of.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

Why not write your own OS?

I know, right? No-one has ever built a statue for a critic, after all.

Just because someone is incapable or unwilling to build an entire smartphone OS from scratch, they don't deserve privacy in their personal devices, amirite? Since you clearly have a home-brewed operating system running on your devices, I have to assume that qualified computer security professionals have reviewed it and found it secure. Right?

For the major handsets on the market running an older version of Android where the carrier won't update, why not install Cyanogenmod and call it a day?

This won't work for 100% of the hardware out there, obviously, but it will fix a great majority of it. It can be a little tricky to install in some cases, but really not that challenging, even for a casual user. There's a number of great how-to's out there specifically to help first-timers.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

I still see the (WebOS) Pre3 on Ebay... it has limitations but it's not a bad phone if you install all the patches. I'll be honest though, I'm still planning on switching to Windows Phone.

You'd be surprised. It wasn't long (days from memory) before someone created an Xposed module to patch the 'master key' issues. Maybe I'll give it a shot - I've been meaning to try my hand at an Xposed module

Honest question, since I'm not very familiar with the Android ecosystem to say the least. Something like this Xposed module -- what sort of percentage of Android phones would end up installing it? And how does it become available to the user?

Thanks.

A number so close to 0% it might as well be 0.

Not that custom roms are difficult to install, it's just not something most are even aware of.

morfraen point is kind of true - very few people run custom roms, and very few people used Xposed - but to understand the bigger picture I'll need to briefly describe the Xposed framework.

The Xposed framework provides a way to functionally modify the Java-based code running on an Android device without having to actually install a custom ROM, or indeed replace any important files on the device. As a result, it can be used to apply very small and specific changes to stock ROMs even on devices that don't have custom ROMs available. It does require root access, because it needs to integrate itself into the OS, but it is entirely reversible. (Note: Xposed only works with Dalvik, not ART, but since we're talking about older Android versions this isn't a problem in this context).

Anyway, basically what Xposed allows you to do is capture 'before' and 'after' a function runs in Android (app or OS), as well as what is passed to the function and what is returned. The implication is that you can basically change the behaviour of Android. For example, the Xposed framework has been used to:* add a CPU temperature indicator to the status bar* display notifications in the lock screen* fix bugs introduced by Android 4.3 on Sony devices* create highly granular per-app security management (XPrivacy -> I use this and it is awesome)(full list of modules here: http://forum.xda-developers.com/showthr ... ?t=2327541)

A great thing about Xposed is that this is all done through a user interface - no command line required.

In terms of people using itNot many people use Xposed, probably because it does require root, because they don't know it exists, and because they don't need to. To actually install it, you need a rooted device, you need to download the framework from XDA (http://forum.xda-developers.com/showthr ... ?t=1574401), you need to allow sideloading apps, and you need to install it. Then once installed (and rebooted) you need to find the module you want from the giant list of modules. It isn't hard, but unless you have the input of someone who is at least a bit across phone geeky stuff then you'd probably never try it.

So setting aside that Xposed isn't actually a custom rom, morfraen is pretty much right in saying that virtually no-one uses it.

Weird. I thought months ago Google updated the library that gave the bug its power via google play services.

I guess today's discovery may nullify this earlier statement in the previous article, but just to be sure, I'll post it

"While the vulnerability is potentially serious, there are several limitations that minimize the damage attackers can do when exploiting vulnerable apps. Chief among them is the fact that Android's permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user. That will probably prevent the technique from being used to install malicious apps in most cases. As a backup, the "Verify Apps" setting available in all versions of Android could also be updated to stop malicious installations should attackers find a way to bypass the permissions and sandbox protections.

What's more, Tim Wyatt, director of security engineering at smartphone security provider Lookout, said some researchers may be exaggerating the threat of attackers obtaining root privileges unless they can exploit a second, unknown vulnerability in Android's permissions and sandbox protections."

I've got an LG Optimus G running Cyanogenmod 10.2.0, and it's reporting my Android version as 4.3.1. So, I guess I'm alright... You know, Cyanogenmod is a pretty clean implementation of Android. No crapware, no bloat, just Android and the apps you decide you want. And they update fairly regularly...

Well I'll be patting my Nexus and watching users of dodgy unsupported knock-offs from the likes of HTC or Samsung run around in a panic. Time to upgrade, guys! Bend over, open your wallets, this won't hurt a bit.

It's odd that the easiest device to use custom firmware on is a Nexus, but they're not the devices which most need it.

Is, say, Firefox vulnerable to this attack? I'm pretty sure I have family members running devices with this vulnerability...

Firefox isn't vulnerable (and probably nor is any other browser using its own rendering engine). The vulnerability is specifically related to the WebView.The WebView is the OS-provided web rendering engine which readily integrates into app views/interfaces. As such, it is what apps (typically) use when they are displaying web content within the app (in contrast to opening a URL in an external browser). If an app is showing you a web-based login screen, it is probably using WebView. If it is showing you help for the app being read from an external site, it is probably using a WebView. That RSS reader which can open the article online to view inside the app? Probably a WebView.

As a result, the problem is pretty inescapable. You can't readily change the rendering engine used inside WebViews, and there are no specific permissions required in order to use WebViews (beyond the normal 'network access' permissions).

Edit: rephrased for ease of reading.

Yeah and I think most people underestimate how often apps use this to display data. It is much more common than the average user would ever think as it is a fairly easy way for developers to present dynamic data.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

Why not write your own OS?

I know, right? No-one has ever built a statue for a critic, after all.

Just because someone is incapable or unwilling to build an entire smartphone OS from scratch, they don't deserve privacy in their personal devices, amirite? Since you clearly have a home-brewed operating system running on your devices, I have to assume that qualified computer security professionals have reviewed it and found it secure. Right?

You seem to be the one incapable of managing to use any of the available devices in a reasonable and secure manner.

Weird. I thought months ago Google updated the library that gave the bug its power via google play services.

I guess today's discovery may nullify this earlier statement in the previous article, but just to be sure, I'll post it

"While the vulnerability is potentially serious, there are several limitations that minimize the damage attackers can do when exploiting vulnerable apps. Chief among them is the fact that Android's permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user. That will probably prevent the technique from being used to install malicious apps in most cases. As a backup, the "Verify Apps" setting available in all versions of Android could also be updated to stop malicious installations should attackers find a way to bypass the permissions and sandbox protections.

What's more, Tim Wyatt, director of security engineering at smartphone security provider Lookout, said some researchers may be exaggerating the threat of attackers obtaining root privileges unless they can exploit a second, unknown vulnerability in Android's permissions and sandbox protections."

Exactly which apps are included in that 'most'? The ones I want to be included in that group?

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Or you could just use Chrome, which gets regular updates from the store. Or Firefox and Opera, none of which even use the system's WebView.

A privilege escalation bug in the WebView's Javascript bridge is bad stuff, but it's not the end of the world. There are many mitigating factors.

1. You should never use a browser tied to the platform's WebView. The WebView is a rather stable API for developers to use. Fixing security bugs there is important, but the API and rendering must be minimally stable throughout a major version of the SDK, which makes it a bad choice to build a browser on. Browsers should be regularly updated. Conspiracy theories apart, this is one of the big reasons Google is deprecating Android's browser in favor of Chrome.

2. Apps that using the WebView should be extra careful. The recommendations are many, and the documentation discusses best practices at length. In this particular case, it would suffice for apps to fully trust content they display on a WebView. This means: either app local content, or HTTPs to your own servers, with a valid certificate.

3. Apps that must show third party content (RSS readers, etc) are seriously encouraged to disable JavaScript entirely or, at a minimum, disable the addJavascriptInterface bridge. Users of such apps should be extra careful of permissions. Does an RSS reader really need access to your contact list? Badly designed apps exposed to arbitrary websites are always going to be a problem.

Instead of just publicizing the problem and criticizing the players, the article could've also discussed what users and developers can do to protect themselves. In this particular case, there's quite a bit that can be done, short of not using the phone to browse the internet. It could be much worse.

Instead of just publicizing the problem and criticizing the players, the article could've discussed what users and developers can do to protect themselves.

My immediate question is then what I, as a user, can do to figure out if the apps I have installed uses this "WebView", and if they do, whether they use it in a safe manner?

If web content is being rendered inside an app, and the app is not a web browser, then it probably uses a WebView. The question, then, is how safe is the content. Unfortunately for a user who doesn't want to roll out a packet sniffer and disassembler, there is really no way to know (with one exception).If the app doesn't have permissions to access the internet, then you're safe simply because the source is already on the device and generated by the app author. If they wanted to write attack code, they could just put it in the app so the WebView issue becomes irrelevant.In every other case, you can't know what the app is doing with the WebView so you're pretty much stuck.

Another thing to keep in mind is that the only permissions that the exploit has access to are the ones that the app has already. Thus, an exploited webview in an app which has permission to access your SMS and SD card is much more dangerous than an exploited webview in a sudoku app which has only internet access permissions and nothing else. Edit: more accurately, an exploited webview in an app has the permissions of that app, and any other apps which share that UID - a process which must be explicitly performed by the developer.

If, just for fun, you did want to analyse an app to try to work out if it is vulnerable then you would do the following:1. Disassemble the app, and look for uses of the 'addJavascriptInterface' function call. If it is not being used, then there is no object accessible in the WebView that can be used to exploit.2. Sniff network traffic. If the app isn't using HTTPS, and it is using 'addJavascriptInterface', then it is exploitable3. Check certificate validation: run a MITM attack and replace the valid HTTPS certificate with an invalid one. If the app still allows the connection, it is vulnerable. (You'd be amazed how often this happens). The default behaviour of the WebView is to not allow invalid certificates, but if the developer is using a self-signed certificate they may have overriden the default behaviour when certificates are invalid, and not replaced it with a check that the certificate is the one they expect. (Note: if they do this, they need to be whipped)

Because it is hard to know if you've sniffed all the connection types that an app will make, it can also be worth searching for 'http://' in the disassembled code, and the various XML files.

Anyway, in summary: If an app renders HTML/web content, is not a browser, and has internet access it is potentially vulnerable and there is no easy way to check.Note: web browsers can also be vulnerable. I'm making the possibly unreasonable assumption that most browsers will use their own rendering engines and that those who don't will not be stupid enough to use addJavascriptInterface.

Seems to me that would be the difference between this being a problem and a disaster.

Depending on the ads, they might. Most mobile ads are either "pre-programmed" (text goes here, image goes there), or static images. But MRAID ads can use HTML5 content. A reputable ad network should ensure the authenticity of its ads, however, for business reasons if none other.

So the vulnerability was known 14 months ago and Google only patched it in November? Seems like Google is as much to blame here as the carriers/device manufacturers. And I thought waiting for "patch Tuesdays" was bad.

Note: web browsers can also be vulnerable. I'm making the possibly unreasonable assumption that most browsers will use their own rendering engines and that those who don't will not be stupid enough to use addJavascriptInterface.

The article specifically states some browsers are vulnerable. I'd be interested in knowing which browsers are these that use addJavascriptInterface, or whether this bug is unrelated to addJavascriptInterface.

Presently the only financial incentive to update Android on released devices is to not appear so bad at providing updates that people will not buy your hardware (and TBH, I doubt many mainstream purchasers are led by duration of updates; at best, it affects recommendations provided by geeks who know).

The average phone user isn't going to care about this kind of thing until it becomes a financial or usability issue. If an exploit is widely used to rip people off or make their phones unpleasant to use, Android (the brand) will develop a bad reputation. It will be like MS-Windows all over again when people started to buy Macs because they were thought to be "immune" from viruses. It's not about reality so much as the perception of it, although the upgrade path for most Android users is basically a disaster waiting to happen.

Seems to me that would be the difference between this being a problem and a disaster.

Depending on the ads, they might. Most mobile ads are either "pre-programmed" (text goes here, image goes there), or static images. But MRAID ads can use HTML5 content. A reputable ad network should ensure the authenticity of its ads, however, for business reasons if none other.

We've seen multiple cases where major ad networks have inadvertently distributed malware. "Should", maybe, but in practice it is clearly not something they do well, if they do it at all.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

Why not write your own OS?

I know, right? No-one has ever built a statue for a critic, after all.

Just because someone is incapable or unwilling to build an entire smartphone OS from scratch, they don't deserve privacy in their personal devices, amirite? Since you clearly have a home-brewed operating system running on your devices, I have to assume that qualified computer security professionals have reviewed it and found it secure. Right?

You seem to be the one incapable of managing to use any of the available devices in a reasonable and secure manner.

Given your griping it seemed like a reasonable question.

I'd quite readily grant that attacking iOS for being too locked-down and then going off and buying a dumbphone is about the stupidest thing one could ever do. For one, dumbphones aren't dumb -- they're just locked down to the extreme by carriers who get to have absolute control of everything on the device through the SIM card. And they're never updated. It's not sending a message of "make phones easier to update and customize" because the dumbphone embodies the polar opposite idea: make it simple and self-contained and let the carrier make sure it works. That being said....

Please show me an operating system which relies on a separate hardware vendor for updates to the application-level APIs, and which is also supported by Android's own SDK. If you can do it, maybe there's a justification for the feature to not exist beyond someone thinking that waiting for a 9-track or stack of papers with debugging commands to arrive by mail as an update strategy in the 70s was too user-friendly. But I kind of doubt it. There's no way the hardware's too limited -- somehow Windows Update was doing this back in the days when my laptop was completely maxed out at 144MB of RAM. And the connection can't be that big of a deal either -- again, I had dial-up and was doing just fine with security patches back in Windows 98. In the present day, Windows Update stil works. My Linux install is entirely up-to-date with a single command. And Apple -- despite having everything to gain by making people bin their old hardware -- manages to use their distribution network to actually protect the system in addition to just making lots of money. Even on mobile.

Really. I want to know: how is this regression supposed to be ignored? And why should someone have to write their own operating system when every other operating system they've likely used even momentarily in the past decade manages to support reasonable updates? Google left this out either in one of the biggest demonstrations of incompetence imaginable (so much so that I would question the safety of their services -- if they don't know about updates, any script kiddy will be getting into your Gmail account quite readily), or because they just don't care. In either case, they need to be called out on it, because it's not just crappy software anymore. It's dangerous to use it as advertised.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Yes, this is a very serious issue and affects a very large proportion of users. For anyone running 4.x versions of Android and with root access, the best hope is that someone will release an Xposed framework module to patch the issue.

"Someone."

Don't hold your breath. It's not going to get patched.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

Why not write your own OS?

I know, right? No-one has ever built a statue for a critic, after all.

Just because someone is incapable or unwilling to build an entire smartphone OS from scratch, they don't deserve privacy in their personal devices, amirite? Since you clearly have a home-brewed operating system running on your devices, I have to assume that qualified computer security professionals have reviewed it and found it secure. Right?

You seem to be the one incapable of managing to use any of the available devices in a reasonable and secure manner.

Given your griping it seemed like a reasonable question.

I know you intended your post as an insult, but no, I'm not capable of using a phone in a secure manner. And I doubt you are either, even if you think you are. I'm not going to belabor the point, but:

AOSP is, well, open source, but there's so much closed-source code running on your typical Android phone that it hardly matters. I have no assurances that either stock Android encryption or Samsung's encryption are genuinely secure. Also, this: http://www.extremetech.com/computing/15 ... he-freezer

So I hardly see it as an unreasonable conclusion to decide to buy an inexpensive phone, assume that it's fundamentally insecure, and then not put anything on it that one cares about keeping private.

Phone manufacturers make money by selling you phones. Once you have bought the phone, anything they spend to help you out is lost money. As has been mentioned, the only incentive for giving you updates is to have a good reputation to help with more phone sales.

This should be turned on its head. Phone manufacturers, or maybe even Google, should act like desktop OS companies, and offer updates after two years -for a fee-.

This has lots of advantages:1. They have the incentive to put out updates for older phones.2. They make money from their old phones. The more customers, the more money.3. If enough people own their phones, they could even make money without putting out new phones. It seems a more sustainable business than phone manufacturing. Microsoft makes quite a bit of money from desktops, yet they don't sell desktops. It's a good business!4. The phone companies (Verizon, AT&T, etc) would no longer have to subsidize new phone purchases to keep customers because people's phones wouldn't become obsolete after two years. Plans get cheaper!5. Everyone would be up to date with Android, which would help Google with the fragmentation problem.

So why isn't this happening????

Edit add:Forgot to mention the point most appropriate to this article:6. Everyone's security would be improved!

Well like any software vulnerability, you gotta ask what the attack vector is. Some vulnerabilities give attackers access just as bad as this one, but for example, require the attacker to have local access to the machine, or require the attacker to have a valid login, before they can attack. I was expecting something like that. But then.

Quote:

The WebView vulnerability allows attackers to inject malicious JavaScript into the Android browser and, in some cases, other apps. In turn, it helps attackers gain the same level of control as the targeted program. The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped Web page. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network. By hijacking the app's update process, attackers can gain control over the same resources already granted to the app, including permissions such as access to SD cards and geographic data.

That's bad. That's really bad.

If I had an android I'd stop visiting sites I don't know, and I'd stop using public Wifi until this got patched.

Android HAS been patched. If you're running Android 4.2 or later, it's patched.

But most manufacturers and networks don't push updates, so you need to take control of your phone's software and keep it updated yourself if they don't do it for you.

( I'm running Cyanogenmod KitKat on a 3.5 year old phone; I rooted and took control of my phone due to this vulnerability shortly after it was announced. )

Apple, on the other hand, doesn't trust users to manage their phones system software so they keep pushing updates. It appears that Apple is right about most users.

Nah, this won't encourage any vendors to update unless it hurts them financially.

It won't.

I agree. Presently the only financial incentive to update Android on released devices is to not appear so bad at providing updates that people will not buy your hardware (and TBH, I doubt many mainstream purchasers are led by duration of updates; at best, it affects recommendations provided by geeks who know).The financial disincentive to update is that updating has a cost of development and testing, a process of going through testing with service providers, and potentially increases the feature set on existing phones which reduces the feature gap between the old phone model and new phone model.

Sure, people get (very) annoyed about things like the HTC One X potentially not getting updates for long but I really think that is a small enough subset of people that HTC can (and probably will) throw them under the bus. (They claim that Nvidia is the problem, but for at least a subset of devices the drivers are already out there so it doesn't hold water).

Of course, another option would be to just release security updates and not actually update Android version (in the sense of not going from 4.0 to 4.1). So long as they don't need to change drivers, that means they are not dependent on Qualcomm, Nvidia etc to provide new device drivers. That would probably require Google to fix the security issues in older versions of Android and do releases with the fixes, and I don't know how likely that is.

I haven't seen a post hit the nail on the head as accurately as this explanation. Adding in some conjecture, I can easily see business leaders having frank conversations about costs on testing and rolling out new updates to phones, platform by platform and phone model by phone model, balanced the negative press (affects sales by a slight downward trend). Since the negative press is mostly connected to "in-the-know" people such as IT or technology minded -philes then the general public isn't swayed.

Until we have massive breaks in security publisized like what happened recently at some retailers (Target, et al) then the general public will continue to evaluate phones as they always have - features, prices, coolness factor - and not consider security.

Seems to me that would be the difference between this being a problem and a disaster.

Depending on the ads, they might. Most mobile ads are either "pre-programmed" (text goes here, image goes there), or static images. But MRAID ads can use HTML5 content. A reputable ad network should ensure the authenticity of its ads, however, for business reasons if none other.

We've seen multiple cases where major ad networks have inadvertently distributed malware. "Should", maybe, but in practice it is clearly not something they do well, if they do it at all.

It doesn't fit their business model, which is:1. Customer approaches you with money and an ad to put on your network.2. Take customer's money; post customer's ad.

I am quite literally not buying another 'smart' 'phone' until I can get a halfway usable one running an OS that isn't beholden to one or more giant evil corporations. I refuse to run iOS because I'll be f!cked if I'm going to pay for something that doesn't allow me to install whatever I please, and Android ... yeah. This. And no updates. And so forth.

I hope Mozilla and/or Ubuntu manage to turn out something that's usable. I got a dumbphone for $15 off ebay a while back until then.

Why not write your own OS?

I know, right? No-one has ever built a statue for a critic, after all.

Just because someone is incapable or unwilling to build an entire smartphone OS from scratch, they don't deserve privacy in their personal devices, amirite? Since you clearly have a home-brewed operating system running on your devices, I have to assume that qualified computer security professionals have reviewed it and found it secure. Right?

You seem to be the one incapable of managing to use any of the available devices in a reasonable and secure manner.

Given your griping it seemed like a reasonable question.

I know you intended your post as an insult, but no, I'm not capable of using a phone in a secure manner. And I doubt you are either, even if you think you are. I'm not going to belabor the point, but:

AOSP is, well, open source, but there's so much closed-source code running on your typical Android phone that it hardly matters. I have no assurances that either stock Android encryption or Samsung's encryption are genuinely secure. Also, this: http://www.extremetech.com/computing/15 ... he-freezer

So I hardly see it as an unreasonable conclusion to decide to buy an inexpensive phone, assume that it's fundamentally insecure, and then not put anything on it that one cares about keeping private.

Oh, and I forgot the most important part of all: If you can be thrown in jail until you unlock your phone, your phone is not secure, no matter who makes it, what operating system it runs, or what steps you take to secure it.